LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-06-2006, 10:05 PM   #1
chinmays
Member
 
Registered: Jan 2006
Posts: 37

Rep: Reputation: 15
How to modify tcpdump packets?


Hello people,

I have collected traces of a worm ( as part of a research project)
Now i would like to replace the source code of the worm in the colected packets with some number (say 0), can anyone suggest me of some tools for doing this or any ways of doing this?

--Thanks
 
Old 07-06-2006, 10:39 PM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I found a website for a course exercise that included the file format of a tcdump.out file: http://www.cs.huji.ac.il/course/2003...ex3/format.txt

However, if what you want to do is not publish the actual code of the worm in your paper, then replacing the text in the latex source of your paper, for example, might be a better way of doing things.

Otherwise, you may need to resort to reading the source code for tcpdump to discover the exact format used. Part of the answer, such as endianess, may depend on the machine that sent the payload in the first place, according to some of the descriptions I read trying to google for an answer. Plus the payload packets themselves could have been split up by a router along the way, so I think that different samples of the same worm could have different patterns, due to the differing length of the packets used to send it.

If you add to that whether your tcpdump file is compressed, it may be better working with a text formatted version of your dumpfile rather than trying to replace bit patterns in the tcpdump file.

Good Luck!

Last edited by jschiwal; 07-06-2006 at 10:44 PM.
 
Old 09-24-2006, 12:42 AM   #3
chinmays
Member
 
Registered: Jan 2006
Posts: 37

Original Poster
Rep: Reputation: 15
hey, Thanks a Lot for the Reply.
I apologize for not replying early.
 
Old 09-24-2006, 01:31 PM   #4
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,536

Rep: Reputation: 148Reputation: 148
Using libpcap (because tcpdump stores packets in pcap format) seems the best solution. It offers functions to load trace, get next packet and so on. It also allows you to save trace to another file (also modified trace).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
tcpdump and snort cannot filter PPPoE packets kaito Linux - Networking 8 08-16-2009 03:25 AM
Using Tcpdump and Tethereal to capture packets shanu_technical Linux - Networking 3 06-14-2006 08:54 AM
Sniffing: tcpdump gets some initial packets merlin-themage Linux - Networking 0 05-28-2004 07:07 AM
tcpdump and dropped packets Blindsight Linux - Networking 5 07-14-2003 10:41 PM
modify file access & modify timestamps i2itstud Linux - General 1 05-20-2003 03:34 AM


All times are GMT -5. The time now is 12:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration